Cyber Security in the Utility Sector
The modern world often grinds to a halt when there is an interruption to any of the services provided by the utility sector of the economy. For example, when the electrical supply fails, or if a city transport system is brought to a halt with no trains or buses in operation. Even something as local as the traffic lights being out of service at an important, busy junction can cause traffic jams for miles.
The utility sector has been identified around the world as crucial, and many governmental and regulatory bodies have passed legislation to help ensure services are always available. From the EU NIS in Europe, to designated critical infrastructure sectors as outlined by the DHS in the USA and more, utility services such as electricity generation and supply, gas distribution, other energy suppliers, transport systems, drinking water, waste removal, health service providers and others have to ensure they take steps to protect service delivery from interruption. Including from external cyber and physical threats.
What Are the threats?
Threats against the infrastructure that delivers critical utility sector services come from various sources. At a basic level, there is a risk of unauthorised access to physical sites and systems by people who shouldn't be there. This is a more significant issue than most people think, as this enlightening talk by physical security specialist Deviant Ollam shows. Getting into many secure areas is not as difficult as most people would think - see the unauthorised entrance into a water treatment facility in the video.
In addition to physical access, there are also cyber threats to the control systems that operate and monitor critical infrastructure. These are known as ICS or SCADA systems, and as systems are modernised and legacy infrastructure is networked to make it easier to manage, the surface area for attacks increases. Traditionally ICS systems where bespoke and it took expertise to be able to compromise them. Increasingly ICS systems are being integrated with more mainstream IT systems. This delivers benefits, but it also increases the threat as the ICS system starts to use more mainstream IT hardware and software, it makes it easier for cybercriminals to attack them, as they need a lot less specialised knowledge. Or any knowledge at all as there is a proliferation of off the shelf attack kits that anyone can use without knowing how they work. The 2017 Triton attack targeted safety controllers that are in use in 18,000 sites worldwide. Security experts see targeted attacks from state or state-backed criminals as a threat that will get more prominent in the future.
There are also threats to critical systems that are often outside the control of the organisation delivering a utility service. Most will have hundreds or even thousands of third-party supply chain partners. All of them provide a potential interface point that could be exploited to gain unauthorised access.
Another potential point of attack comes from internal staff. These can be from disgruntled employees or good old fashioned human error. People make mistakes, and they will continue to do so, and systems need to be in place to catch or mitigate their effects.
The impact of any attack that disrupts the delivery of critical utility services will be financial (both in revenue terms and prospective fines under EU NIS) and also reputational. With the latter having long term knock-on effects as customers switch providers, or government contracts are awarded to rivals.
Responding to the threats
Protecting utility sector infrastructure and systems against attack requires a strategy and tactics that are both wide and deep. Firstly, the physical access security needs to be robust. Malicious cyber criminals will try both electronic and physical access. The best IT security defences in the world will be useless if a malicious person can physically get into your facility to do damage or read sensitive documents.
Secondly, the IT defences for the ICS and other IT systems need to be up to date, robust, and continuously updated. This is a specialist task that requires experts in all the systems to play a part. One approach to ensure the security is to build a multi-discipline team with internal and external experts. It should comprise experts on the infrastructure, the ICS control systems, the interfaces to supply chain vendors, and other IT systems. IT security is a rapidly changing field. The best experts in this area are those whose full-time focus is on the emerging threats and how to counter them. Renaissance and our suite of security vendors and partners are ideally placed to work with any utility sector organisations to help analyse current security systems, design a way to improve them, and deliver the improvements over time. Starting with the most critical systems and vulnerabilities.
Attacks against utility infrastructure are increasing. The threats are evolving at a rapid rate, and the expertise needed to attack utility services is now in the hands of anyone who wants to do it. Join Renaissance and Indegy on the 25th June for a Webinar in which we will outline the threats to ICS systems and how to start the process of improving the cybersecurity of all critical utility services infrastructure.